Full Report
The Spanish police have dismantled the largest Spanish-language manga piracy platform, operating since 2014, with millions of monthly users from around the globe. [...]
Analysis Summary
# Incident Report: Dismantling of Major Spanish Manga Piracy Platform (Tu Manga Online)
## Executive Summary
Spanish National Police, following a year-long investigation, successfully dismantled the largest Spanish-language manga piracy platform (identified as Tu Manga Online/TMO). Operating since 2014, the platform generated approximately $4.7 million in illicit advertising revenue and served millions of users globally. The operation resulted in four arrests and the seizure of significant cryptocurrency assets.
## Incident Details
- **Discovery Date:** June 2025 (Start of investigation)
- **Incident Date:** Active 2014 – April 2026
- **Affected Organization:** Global Manga Publishers, Translators, and Rights Holders
- **Sector:** Media & Intellectual Property (Entertainment)
- **Geography:** Based in Almeria, Spain; Global impact
## Timeline of Events
### Initial Access
- **Date/Time:** 2014
- **Vector:** Intentional creation of infringing web infrastructure.
- **Details:** The operators established a massive web portal to provide unauthorized access to copyright-protected manga and graphic novels.
### Lateral Movement
- **Infrastructure Expansion:** The operators built a "complex technological setup" to manage high traffic and created redundant platforms to ensure continuity in case of legal takedowns.
### Data Exfiltration/Impact
- **IP Theft:** Systemic unauthorized distribution of a massive volume of intellectual property.
- **Monetization:** Generated $4.7M via aggressive advertising (pop-ups) and cryptocurrency accumulation.
### Detection & Response
- **June 2025:** Law enforcement investigation launched following complaints from intellectual property rights holders (including Korean entities).
- **April 2026:** Coordination of raids in Almeria, Spain.
- **April 2026:** Arrest of four individuals and seizure of "cold" storage cryptocurrency wallets.
## Attack Methodology
- **Initial Access:** Creation of rogue web domains and hosting infrastructure.
- **Persistence:** Use of hidden hardware (wallets in wall thermometers) and development of secondary/backup websites.
- **Privilege Escalation:** Admin-level control over high-traffic web servers and content management systems.
- **Defense Evasion:** Use of "cold" cryptocurrency wallets to hide illicit proceeds; hiding physical storage media within household objects (thermometers).
- **Credential Access:** Not applicable (operator-led incident).
- **Discovery:** Monitoring of industry trends and user traffic to maximize ad impressions.
- **Lateral Movement:** Scaling infrastructure to support millions of monthly users.
- **Collection:** Aggregation of copyrighted digital assets and user traffic data.
- **Exfiltration:** Transfer of advertising revenue into digital assets/cryptocurrency.
- **Impact:** Financial loss to rights holders; exposure of minors to inappropriate (pornographic) advertising.
## Impact Assessment
- **Financial:** Estimated $4,700,000 in lost revenue/illicit gains.
- **Data Breach:** Massive theft of Intellectual Property (IP).
- **Operational:** Total disruption of the piracy platform's services.
- **Reputational:** High-profile dismantling of a "reference point" for Spanish-language piracy; significant harm to the publishing industry's ecosystem.
## Indicators of Compromise
- **Network Indicators:**
- `hxxps[:]//tumangaonline[.]com` (Historically associated)
- High-frequency pop-up ad scripts triggered on click actions.
- **File Indicators:** Not specified, but involved a "complex technological setup" on-site.
- **Behavioral Indicators:** Aggressive ad-delivery mechanisms; use of cold-storage crypto wallets for asset concealment.
## Response Actions
- **Containment:** Website taken offline following legal and police pressure.
- **Eradication:** Raid of the primary suspect's residence; seizure of servers and technological equipment.
- **Recovery:** Confiscation of over $470,000 in cryptocurrency to mitigate financial gains.
## Lessons Learned
- **Redundancy Tactics:** Threat actors increasingly develop secondary backup domains simultaneously with active ones to bypass domain seizures.
- **Physical Obfuscation:** Traditional digital forensics must be coupled with thorough physical searches, as evidenced by the discovery of USB drives hidden inside a wall thermometer.
- **International Collaboration:** Intellectual property theft on this scale requires cross-border cooperation between rights holders and local law enforcement.
## Recommendations
- **Proactive Monitoring:** Rights holders should employ automated brand protection services to detect and report infringing domains early in their lifecycle.
- **Ad-Network Regulation:** Increased pressure on ad-tech providers to vet high-traffic domains that utilize aggressive or inappropriate pop-ups.
- **Legislative Action:** Continued support for international IP enforcement treaties to facilitate the dismantling of platforms hosted in foreign jurisdictions.